]]>Conversations 16: Reflections on Ruxcon 2016This episode of Corrupted Nerds takes a look at the Ruxcon 2016 information security conference held in Melbourne on 22 and 23 October.<br />
<br />
Just like our look at Ruxcon 2015, I'm joined by Michael McKinnon, now director of commercial services at Sense of Security; and Darren Pauli, security reporter for The Register.<br />
<br />
There's also a conversation about measuring risk with Ron Gula, founder of Tenable Network Security.<br />
<br />
The discussion was recorded on 28 October 2016 on the banks of the Coburg Lake Reservoir in Melbourne. The interview with Ron Gula was also recorded on 28 October 2016.<br />
<br />
For full credits see:<br />
http://corruptednerds.com/pod/c00016/<br />Stilgherrianclean54:06Conversations 15: Leslie Nassar discusses the newshttps://corruptednerds.com/pod/c00015/
https://corruptednerds.com/pod/c00015/#commentsFri, 04 Dec 2015 03:19:46 +0000http://corruptednerds.com/?p=538 Continue reading → ]]>In a surprise experimental episode, Leslie Nassar, co-founder of Wrangling Cats, freelance writer and builder of Twitter things since 2007, joins Stilgherrian to talk about some of the stories in the news.

This episode was recorded on Wednesday 2 December 2015 in Sydney, Australia.

]]>https://corruptednerds.com/pod/c00015/feed/1Conversations 15: Leslie Nassar discusses the newsIn a surprise experimental episode, Leslie Nassar, co-founder of Wrangling Cats, freelance writer and builder of Twitter things since 2007, joins Stilgherrian to talk about some of the stories in the news.<br />
<br />
This episode was recorded on Wednesday 2 December 2015 in Sydney, Australia.<br />
<br />
For full credits see:<br />
http://corruptednerds.com/pod/c00015/StilgherrianyesConversations 14: Joe Franzi, Australian Signals Directoratehttps://corruptednerds.com/pod/c00014/
https://corruptednerds.com/pod/c00014/#commentsWed, 25 Nov 2015 11:19:38 +0000http://corruptednerds.com/?p=523 Continue reading → ]]>Joe Franzi, Assistant Secretary for Cyber Security with the Australian Signals Directorate (ASD), gives his first on-record media interview in his five years in that role.

It’s not often that we get to hear from people like Joe Franzi. He’s been working in Australia’s defence and intelligence community for more than 37 years. Most recently, that’s been with the ASD, formerly the Defence Signals Directorate (DSD), Australia’s equivalent to, and partner with, the US National Security Agency.

The ASD isn’t just cyber spies. Like the NSA, it’s also responsible for defending government, military and other critical communications networks. That’s where Franzi currently fits in, and for the last year his team has been the defence-sector contribution to the Australia Cyber Security Centre (ACSC), opened a year ago.

A spoiler: there’s no grand secrets in this interview. Maybe next time. But what you will hear is some intelligent comments about risk management — including a view on whether Australia’s new prime minster Malcolm Turnbull should really be using commercial email services — and about the cultural issues that come up when you put together a cyber defence team from disparate organisations.

This interview was recorded on Thursday 15 October 2015 in Melbourne, Australia, during the annual conference of the Australian Information Security Association (AISA).

If you enjoyed this podcast, why not make a tip, or even subscribe? Every contribution helps me provide these podcasts for free.

Thank You

This episode of Corrupted Nerds was sponsored by Mercury ISS.

Is penetration testing spitting out the same generic recommendations with no improvement? Mercury ISS makes a point of working alongside customers to enhance their security posture. With value for money and one of the best teams in the business be sure to check out their services at mercuryiss.com.au.

]]>https://corruptednerds.com/pod/c00014/feed/1Conversations 14: Joe Franzi, Australian Signals DirectorateJoe Franzi, Assistant Secretary for Cyber Security with the Australian Signals Directorate (ASD), gives his first on-record media interview in his five years in that role.<br />
<br />
It's not often that we get to hear from people like Joe Franzi. He's been working in Australia's defence and intelligence community for more than 37 years. Most recently, that's been with the ASD, formerly the Defence Signals Directorate (DSD), Australia's equivalent to, and partner with, the US National Security Agency.<br />
<br />
The ASD isn't just cyber spies. Like the NSA, it's also responsible for defending government, military and other critical communications networks. That's where Franzi currently fits in, and for the last year his team has been the defence-sector contribution to the Australia Cyber Security Centre (ACSC), opened a year ago.<br />
<br />
A spoiler: there's no grand secrets in this interview. Maybe next time. But what you will hear is some intelligent comments about risk management -- including a view on whether Australia's new prime minster Malcolm Turnbull should really be using commercial email services -- and about the cultural issues that come up when you put together a cyber defence team from disparate organisations.<br />
<br />
This interview was recorded on Thursday 15 October 2015 in Melburne, Australia.<br />
<br />
For full credits see:<br />
http://corruptednerds.com/pod/c00014/StilgherriancleanConversations 13: Reflections on Ruxcon 2015https://corruptednerds.com/pod/c00013/
https://corruptednerds.com/pod/c00013/#commentsSun, 01 Nov 2015 09:55:09 +0000http://corruptednerds.com/?p=510Corrupted Nerds podcast returns with a look at the Ruxcon 2015 information security conference held in Melbourne on 24 and 25 October. Continue reading → ]]>The Corrupted Nerds podcast returns, kicking off a new series with a look at the Ruxcon 2015 information security conference held in Melbourne on 24 and 25 October.

In this first episode of series two, it’s a break from the usual long-form interview format to bring you a panel discussion. Joining me, Stilgherrian, are: Michael McKinnon, social media and security awareness director for AVG Technologies AU; and Darren Pauli, security reporter for The Register.

There’s also a conversation with Dr Vanessa Teague, a cryptographer from the University of Melbourne, about the security of electronic voting systems.

The panel conversation was recorded on 31 October 2015, with both Michael McKinnon and Darren Pauli at their homes in Melbourne — which is why you can hear chickens and dogs. The interview with Vanessa Teague was recorded on 30 October 2015.

]]>https://corruptednerds.com/pod/c00013/feed/1Conversations 13: Reflections on Ruxcon 2015The Corrupted Nerds podcast returns, kicking off a new series with a look at the Ruxcon 2015 information security conference held in Melbourne on 24 and 25 October.<br />
<br />
In this first episode of series two, it's a break from the usual long-form interview format to bring you a panel discussion. Joining me, Stilgherrian, are: Michael McKinnon, social media and security awareness director for AVG Technologies AU; and Darren Pauli, security reporter for The Register.<br />
<br />
There's also a conversation with Dr Vanessa Teague, a cryptographer from the University of Melbourne, about the security of electronic voting systems.<br />
<br />
The panel conversation was recorded on 31 October 2015, with both Michael McKinnon and Darren Pauli at their homes in Melbourne -- which is why you can hear chickens and dogs. The interview with Vanessa Teague was recorded on 30 October 2015.<br />
<br />
For full credits see:<br />
http://corruptednerds.com/pod/c00013/StilgherrianyesThe Return of the Corrupted Nerds podcasthttps://corruptednerds.com/pod/c00012a/
Mon, 12 Oct 2015 09:05:42 +0000http://corruptednerds.com/?p=502Corrupted Nerds podcast, well, it's coming back -- but it needs your help. Continue reading → ]]>

If you’ve been wondering what’s happened to the Corrupted Nerds podcast, well, it’s coming back — but it needs your help.

]]>The Return of the Corrupted Nerds podcastIf you've been wondering what's happened to the Corrupted Nerds podcast, well, it's coming back -- but it needs your help.<br />
<br />
This week I'm heading to Melbourne for the Australian Information Security Association's annual conference. I'm recording some material there.<br />
<br />
But more importantly, I'm running a Pozible crowdfunding campaign to get me to the Ruxcon infosec conference later in the month, and to fund the next few episodes of the podcast.<br />
<br />
As I post this, the campaign is 43% funded, and there's just three days left to reach the target.<br />
<br />
For all the details, go to http://pozible.com/corruptednerds2 because the podcast won't be back without your support. Do it now.StilgherriancleanExtra: Malcolm Turnbull opens NICTA Techfest 2015https://corruptednerds.com/pod/e00002/
https://corruptednerds.com/pod/e00002/#commentsSat, 21 Feb 2015 06:33:42 +0000http://corruptednerds.com/?p=475 Continue reading → ]]>This Corrupted Nerds: Extra podcast brings you a speech by Malcolm Turnbull, Australia’s Minister for Communications, and potential contender for the Prime Ministership. He’s a hot political topic in Australia right now.

The speech itself was given to open the NICTA Techfest 2015, NICTA being Australia’s largest ICT research organisation. There’s plenty of motherhood statements about creating a more technological future for Australia — and a big plug for Germany’s approach to developing an agile technological future.

But it’s perhaps more interesting because it’s effectively another instalment in Turnbull’s ongoing softly-softly job interview in front of Australian voters.

The recording also includes the brief doorstop press conference held immediately after the speech, during which I ask a couple of questions, which in turn raised the story of King Cnut.

There were also questions about NICTA losing its government funding, and Australia’s National Broadband Network (NBN).

]]>https://corruptednerds.com/pod/e00002/feed/2Extra: Malcolm Turnbull opens NICTA Techfest 2015This Corrupted Nerds: Extra podcast brings you a speech by Malcolm Turnbull, Australia's Minister for Communications, and potential contender for the Prime Ministership -- a hot political topic in Australia right now.<br />
<br />
The speech itself was given to open the NICTA Techfest 2015, NICTA being Australia's largest ICT research organisations. There's plenty of motherhood statements about creating a more technological future for Australia. But it's perhaps more interesting because it's effectively another instalment in Turnbull's ongoing softly softly job interview in front of Australian voters.<br />
<br />
The recording also includes the brief doorstop press conference held immediately after the speech, during which I ask a couple of questions.<br />
<br />
This material was recorded on 20 February 2015 in Sydney, Australia.<br />
<br />
For full credits see:<br />
http://corruptednerds.com/pod/e00002/StilgherriancleanConversations 12: Metadata & surveillance with Carly Nysthttps://corruptednerds.com/pod/c00012/
https://corruptednerds.com/pod/c00012/#commentsSun, 19 Oct 2014 21:40:19 +0000http://corruptednerds.com/?p=452 Continue reading → ]]>The Australian government will soon introduce legislation making it compulsory for telecommunication companies to record the data about their customers’ use of their services for up to two years, and make it available to law enforcement and intelligence agencies. But is it the right way to go?

“This is very much the way in which western nations are going, it’s been the case in Europe under the European Data Retention directive for some little while now,” said Attorney-General George Brandis on 16 July.

But what he didn’t say was that the European Court of Justice has declared the blanket recording of telecommunications data to be a breach of human rights. It isn’t a proportionate response to the claimed threat, and there’s no evidence that it’ll actually even help.

“What we’re being asked to do is ourselves — innocent law-abiding citizens — to sacrifice our own liberties, our own rights, in the vague hope that it will somehow catch these handful of Nazi Pedos who are out there,” said Carly Nyst, London-based legal director of Privacy International.

“Nazi Pedos” is PI’s label for the “general all-encompassing bad person who lives on the internet”, says Nyst. Terrorists, pedophiles, cyber criminals, or whoever else we’re meant to be afraid of this week.

Nyst spoke about the legal and privacy issues surrounding the metadata proposals at public meeting titled “Data Retention: the European Experience”, organised by Electronic Frontiers Australia and the Australian Privacy Foundation. This episode of Corrupted Nerds: Conversations presents a lightly-edited version of that event, including questions and comments from the audience.

This conversation was recorded on 15 October 2014 in Sydney, Australia.

An episode of The 9pm Edict podcast, The 9pm Team Australia, in which I discuss the application and misapplication of Godwin’s Law. The relevant segment starts at 34 minutes 45 seconds and runs for a little over ten minutes.

]]>https://corruptednerds.com/pod/c00012/feed/2Conversations 12: Metadata and surveillance with Carly NystThe Australian government will soon introduce legislation making it compulsory for telecommunication companies to record the data about their customers' use of their services for up to two years, and make it available to law enforcement and intelligence agencies. But is it the right way to go?<br />
<br />
"This is very much the way in which western nations are going, it's been the case in Europe under the European Data Retention directive for some little while now," said Attorney-General George Brandis on 16 July. But what he didn't say was that the European Court of Justice has declared the blanket recording of telecommunications data to be a breach of human rights. It isn't a proportionate response to the claimed threat, and there's no evidence that it'll actually even help.<br />
<br />
"What we're being asked to do is ourselves -- innocent law-abiding citizens -- to sacrifice our own liberties, our own rights, in the vague hope that it will somehow catch these handful of Nazi Pedos who are out there," said Carly Nyst, London-based legal director of Privacy International. "Nazi Pedos" is PI's label for the "general all-encompassing bad person who lives on the internet" -- terrorists, pedophiles, cyber criminals, or whoever else we're meant to be afraid of this week.<br />
<br />
Carly Nyst spoke about the legal and privacy issues surrounding the metadata proposals at public meeting titled "Data Retention: the European Experience", organised by Electronic Frontiers Australia and the Australian Privacy Foundation. This episode of Corrupted Nerds: Conversations presents a lightly-edited version of that event.<br />
<br />
This conversation was recorded on 15 October 2014 in Sydney, Australia.<br />
<br />
For full credits see:<br />
http://corruptednerds.com/pod/c00012/StilgherrianyesConversations 11: Future of the media with Bob Garfieldhttps://corruptednerds.com/pod/c00011/
Tue, 12 Aug 2014 11:40:54 +0000http://corruptednerds.com/?p=434 Continue reading → ]]>Remember when the media was a great business to be in? Thanks to the digital revolution, that’s all changed. So what now?

“For 300-plus years, it was great for the audience, they got free and subsidised content. It was great for advertisers ‘cos they got audience. And it was great for media, ‘cos they got filthy stinking rich,” says Bob Garfield, former advertising man, veteran journalist and columnist, and co-presenter of the US National Public Radio program On the Media and co-host of the Slate podcast on language, Lexicon Valley.

But now, things are bleak. “Unless you are in gambling, search or porn, there’s just no money to be made,” he said.

Garfield was in Australia recently to keynote and moderate the media stream at the ADMA Global Forum. That’s the Association for Data-driven Marketing and Advertising, formerly the Australian Direct Marketing Association.

In this conversation with Corrupted Nerds, he explains why, basically, we’re all fucked.

]]>Conversations 11: Bob Garfield on the future of mediaRemember when the media was a great business to be in? Thanks to the digital revolution, that's all changed. So what now?<br />
<br />
"For 300-plus years, it was great for the audience, they got free and subsidised content. It was great for advertisers 'cos they got audience. And it was great for media, 'cos they got filthy stinking rich," says Bob Garfield, former advertising man, veteran journalist and columnist, and co-presenter of the US National Public Radio program On the Media and co-host of the Slate podcast on language, Lexicon Valley.<br />
<br />
But now, things are bleak. "Unless you are in gambling, search or porn, there's just no money to be made," he said.<br />
<br />
Garfield was in Australia recently to keynote and moderate the media stream at the ADMA Global Forum. That's the Association for Data-driven Marketing and Advertising, formerly the Australian Direct Marketing Association.<br />
<br />
In this conversation with Corrupted Nerds, he explains why, basically, we're all fucked. <br />
<br />
This interview was recorded on 30 July 2014 in Sydney, Australia.<br />
<br />
For full credits see:<br />
http://corruptednerds.com/pod/c00011/StilgherrianyesConversations 10: Michelle Dennedy, privacy engineeringhttps://corruptednerds.com/pod/c00010/
https://corruptednerds.com/pod/c00010/#commentsSun, 25 May 2014 09:59:52 +0000http://corruptednerds.com/?p=415 Continue reading → ]]>Why do so many internet applications end up being hit with privacy disasters? Why not make sure they handle personal data properly to begin with? There’s a process for that, and it’s called “privacy engineering”.

Michelle Dennedy is chief privacy officer with information security firm McAfee and, along with a family member and her business partner, is co-author of the book The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value. The ebook is available for free.

“Oftentimes what you find is that [privacy] is the realm of the lawyer, or the risk manager if you’re lucky, or maybe the odd finance guy will wander into the cave every now and again,” Dennedy said. “Then you go and you talk to the people who are slinging code, or buying services or software or techniques, or going to the cloud and dreaming up technical stuff, and they say to you, ‘Kinda leave us in our cave over here, and go write your little policies, they’re so cute, and then maybe at the end of it — maybe — you get to write some terms and conditions to get me out of my obligations.'”

You recognise that scenario, right? It’s another of those ethical shortfalls, where the rules that society has agreed to operate by are seen as just another inconvenience to be avoided.

Privacy engineering is the process of turning various policies, from privacy laws to the needs of the business’ plan for data, into something that programmers can work with — indeed. something they’ll want to work with because it’s now an engineering problem. It’s also something that quality assurance (QA) processes can deal with.

[Photo: Original photo of Michelle Dennedy via BankInfoSecurity.com, not credited. Digital manipulation by Stilgherrian, available for re-use under a Creative Commons Attribution-NoDerivs license (CC BY-ND).]

https://corruptednerds.com/pod/c00010/feed/4Conversations 10: Privacy engineering with Michelle DennedyWhy do so many internet applications end up being hit with privacy disasters? Why not make sure they handle personal data properly to begin with? There's a process for that, and it's called "privacy engineering".<br />
<br />
Michelle Dennedy is chief privacy officer with information security firm McAfee and, along with two family members, is co-author of the book "The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value". The ebook version of is available for free.<br />
<br />
As I reported in my ZDNet Australia column a few days ago:<br />
<br />
"Oftentimes what you find is that [privacy] is the realm of the lawyer, or the risk manager if you're lucky, or maybe the odd finance guy will wander into the cave every now and again," Dennedy said. "Then you go and you talk to the people who are slinging code, or buying services or software or techniques, or going to the cloud and dreaming up technical stuff, and they say to you, 'Kinda leave us in our cave over here, and go write your little policies, they're so cute, and then maybe at the end of it -- maybe -- you get to write some terms and conditions to get me out of my obligations.'"<br />
<br />
You recognise that scenario, right? It's another of those ethical shortfalls, where the rules that society has agreed to operate by are seen as just another inconvenience to be avoided.<br />
<br />
Privacy engineering is the process of turning various policies, from privacy laws to the needs of the business' plan for data, into something that programmers can work with -- indeed. something they'll want to work with because it's now an engineering problem. It's also something that quality assurance (QA) processes can deal with.<br />
<br />
This interview was recorded on 6 May 2014 in Sydney, Australia.<br />
<br />
For full credits, see the podcast website:<br />
http://corruptednerds.com/pod/c00010/Stilgherrianclean23:56Conversations 9: Amateur satellite intel with David Jormhttps://corruptednerds.com/pod/c00009/
https://corruptednerds.com/pod/c00009/#commentsSat, 23 Nov 2013 07:21:48 +0000http://corruptednerds.com/?p=394 Continue reading → ]]>It’d be fair to say that most of us in western countries like Australia have a cartoon view of North Korea — over the top patriotic songs or clichéd images of military parades and speeches. But a growing group of amateur North Korea watchers is changing that.

David Jorm is one of them.

His day job is as a security response engineer for a well-known Linux vendor associated with headwear. But he also studies geography and mathematics at the University of Queensland, and he’s started using open or commercially available satellite imagery and other data to analyse what’s going on on North Korea.

This interview was recorded on 27 October 2013 in Melbourne, Australia.

]]>https://corruptednerds.com/pod/c00009/feed/1Conversations 9: Amateur satellite intel with David JormIt'd be fair to say that most of us in western countries like Australia have a cartoon view of North Korea -- over the top patriotic songs or clichéd images of military parades and speeches. But a growing group of amateur North Korea watchers is changing that.<br />
<br />
David Vorm is one of them. His day job is as a security response engineer for a well-known Linux vendor associated with headwear. But he also studies geography and mathematics at the University of Queensland, and he's started using open or commercially available satellite imagery and other data to analyse what's going on on North Korea.<br />
<br />
This interview was recorded on 27 October 2013 in Melbourne, Australia.Stilgherrianclean24:57Conversations 8: E-voting with Dr Vanessa Teaguehttps://corruptednerds.com/pod/c00008/
https://corruptednerds.com/pod/c00008/#commentsMon, 04 Nov 2013 12:00:37 +0000http://corruptednerds.com/?p=378 Continue reading → ]]>With Western Australia’s senate election result in doubt, thanks in part to 1375 completed ballot papers going missing, electronic voting is being discussed once more. But e-voting isn’t the magic solution some think it is.

“There isn’t a secure solution for voting over the internet. There isn’t a good way of authenticating voters, that is, making sure that the person at the other end of the connection is the eligible voter they say they are. There isn’t an easy, usable way of helping voters to make sure that the vote they send is the vote they wanted, even if their PC is infected with malware or administered by somebody who wants to vote differently,” says Dr Vanessa Teague from the University of Melbourne, who studies the cryptographic protocols used be electronic voting systems.

“And although there are some techniques for providing evidence that encrypted votes have been properly decrypted and tallied, it’s hard to scale those techniques to large Australian elections.”

Teague’s presentation at the Ruxcon security conference, “Electronic Voting Security, Privacy and Verifiability”, blew holes in the idea that any currently-available electronic voting system can do a better job than pencil and paper — and the audience tended to agree.

Teague asked her audience of some 300 to 400 hackers whether they thought internet voting would be a good idea. Maybe two hands went up. A bad idea? Pretty much every other hand was raised immediately. And that was before they heard her presentation.

“We have to be careful that the computers cast the vote that the voter actually intended to cast, and we have to make sure there’s evidence that all of the votes are properly recorded and transmitted and tallied,” she says.

This interview was recorded on 27 October 2013 in Melbourne, Australia.

This episode of Corrupted Nerds: Conversations was sponsored by AVG Technologies Australia New Zealand. With over 155 million users, AVG’s powerful yet easy-to-use software and online services put you in control of your security and your privacy — visit www.avg.com.au.

A Patch Monday podcast from 15 March 2010 in which Jan Meier, a Norwegian digital identity specialist who worked on the Netherlands’ first large-scale internet-based election, said, “I would say that the only system that really lives up to the expectations of transparency and anonymity, that is really the old paper analogue system.”

[Photo: Original photo of Dr Vanessa Teague courtesy of the University of Melbourne. Digital manipulation by Stilgherrian, available for re-use under a Creative Commons Attribution-NoDerivs license (CC BY-ND).]

]]>https://corruptednerds.com/pod/c00008/feed/8Conversations 8: Electronic voting with Dr Vanessa TeagueWith Western Australia's senate election result in doubt, thanks in part to 1375 completed ballot papers going missing, electronic voting is being discussed once more. But e-voting isn't the magic solution some think it is.<br />
<br />
"There isn't a secure solution for voting over the internet. There isn't a good way of authenticating voters, that is, making sure that the person at the other end of the connection is the eligible voter they say they are. There isn't as easy, usable way of helping voters to make sure that the vote they send is the vote they wanted, even if their PC is infected with malware or administered by somebody who wants to vote differently," says Dr Vanessa Teague from the University of Melbourne, who studies the cryptographic protocols used be electronic voting systems.<br />
<br />
"And although there are some techniques for providing evidence that encrypted votes have been properly decrypted and tallied, it's hard to scale those techniques to large Australian elections."<br />
<br />
Teague's presentation at the Ruxcon security conference, "Electronic Voting Security, Privacy and Verifiability", blew holes in the idea that any currently-available electronic voting system can do a better job than pencil and paper -- and the audience tended to agree.<br />
<br />
Teague asked her audience of some 300 to 400 hackers whether they thought internet voting would be a good idea. Maybe two hands went up. A bad idea? Pretty much every other hand was raised immediately. And that was before they heard her presentation.<br />
<br />
"We have to be careful that the computers cast the vote that the voter actually intended to cast, and we have to make sure there's evidence that all of the votes are properly recorded and transmitted and tallied," she says.<br />
<br />
This interview was recorded on 27 October 2013 in Melbourne, Australia.Stilgherrianclean33:18Conversations 7: Senator Scott Ludlam and securityhttps://corruptednerds.com/pod/c00007/
https://corruptednerds.com/pod/c00007/#commentsSun, 03 Nov 2013 03:17:42 +0000http://corruptednerds.com/?p=365 Continue reading → ]]>A brief conversation with Greens Senator Scott Ludlam recorded at the Ruxcon 2013 security conference provides an excuse to discuss the Attorney-General’s appointment of a former ASIO director-general as his chief of staff.

Senator George Brandis, Australia’s new Attorney-General under the Coalition government, announced the appointment of Paul O’Sullivan as his chief of staff on 17 October.

O’Sullivan has a distinguished career in public service, including as Director-General of ASIO, a Permanent Representative to the United Nations, Ambassador to Germany, High Commissioner to New Zealand and National Security Adviser to Prime Minister John Howard.

“The appointment will underline the strong national security focus which I intend to bring to the Attorney-General’s portfolio,” Brandis said in a statement emailed to the media just after 1800 AEDT on a day when the news was dominated by the bushfire threat in New South Wales, where it was feared hundreds of homes have been destroyed.

“National security seems to have become the over-riding pre-occupation of the Attorney-General’s office, such that it’s had to get them to talk about anything else,” Ludlam told Corrupted Nerds, describing the timing of the announcement as “extremely cynical”.

“Maybe it’s an indicator that there’s some nervousness there about some kind of public backlash. It’s hard to read. I think what we will see, though, the repetitive pattern of behaviour on behalf of the attorney-general’s department, you could predict safely that it will only be a matter of time before the data retention raises its head, for example, and I’m not expecting anything at all progressive — despite that fact that Senator Brandis prides himself as a true liberal.”

The interview was recorded on 26 October 2013 in Melbourne, Australia. Stilgherrian’s commentary was written and recorded 3 November 2013.

[Photo: Original photo of Senator Scott Ludlam courtesy of Australian Greens. Digital manipulation by Stilgherrian, available for re-use under a Creative Commons Attribution-NoDerivs license (CC BY-ND).]

]]>https://corruptednerds.com/pod/c00007/feed/2Conversations 7: Senator Scott Ludlam and national securityA brief conversation with Greens Senator Scott Ludlam recorded at the Ruxcon 2013 security conference provides an excuse to discuss the Attorney-General's appointment of a former ASIO director-general as his chief of staff.<br />
<br />
Senator George Brandis, Australia's new Attorney-General under the Coalition government, announced the appointment of Paul O'Sullivan as his chief of staff on 17 October.<br />
<br />
O'Sullivan has a distinguished career in public service, including as Director-General of ASIO, a Permanent Representative to the United Nations, Ambassador to Germany, High Commissioner to New Zealand and National Security Adviser to Prime Minister John Howard.<br />
<br />
"The appointment will underline the strong national security focus which I intend to bring to the Attorney-General's portfolio," Brandis said in a statement emailed to the media just after 1800 AEDT on a day when the news was dominated by the bushfire threat in New South Wales, where it was feared hundreds of homes have been destroyed. <br />
<br />
"National security seems to have become the over-riding pre-occupation of the Attorney-General's office, such that it's had to get them to talk about anything else," Ludlam told Corrupted Nerds, describing the timing of the announcement as "extremely cynical".<br />
<br />
"Maybe it's an indicator that there's some nervousness there about some kind of public backlash. It's hard to read. I think what we will see, though, the repetitive pattern of behaviour on behalf of the attorney-general's department, you could predict safely that it will only be a matter of time before the data retention raises its head, for example, and I'm not expecting anything at all progressive -- despite that fact that Senator Brandis prides himself as a true liberal."<br />
<br />
The interview was recorded on 26 October 2013 in Melbourne, Australia. Stilgherrian's commentary was written and recorded 3 November 2013.Stilgherrianclean11:20Breakpoint Day 2: Cars, drives and BIOS hackshttps://corruptednerds.com/blog/breakpoint-2013-day-2/
https://corruptednerds.com/blog/breakpoint-2013-day-2/#commentsSun, 27 Oct 2013 22:24:12 +0000http://corruptednerds.com/?p=354 Continue reading → ]]>If Smart TVs were the hardware hack highlight of Breakpoint Day 1, then hacking highly-computerised cars was most certainly the highlight of Day 2 of this information security conference in Melbourne on Friday.

Cars are now highly-networked devices, with CAN bus signals controlling everything from the engine and brakes to lighting, door locks and the entertainment systems — as well as the dashboard displays that tell the driver what’s happening. But the digital protocols are optimised for speed and reliability, not security.

While you can’t buy high-end CAN protocol analyser hardware without a license from the vendor, it’s reasonably straightforward to build your own tools — as happened with this project. All the hardware designs and software used in this project are open source.

Using these tools, the research team reverse engineered the CAN bus commands, first by passively watching the data stream, then by seeing how that data stream changed by operating functions in the car, and then by sending their own commands down the CAN bus to see what happened. They referred to these stages as “sniff”, “poke” and “write”.

“You might want to use someone else’s car for this… I’ve broken two cars and it’s hard to explain,” one said.

Sumers and Zulauf showed how they could, for example, rev the engine to 4000 rpm while the dashboard tachometer show it running at a slow idle, or send nonsensical error messages to the alphanumeric display. “Let me tell you about air bags some time,” Sumers said.

Many of the car’s operations, such as choosing the fuel flow and ignition timing for different engine speeds and other conditions, are done using look-up tables, and other researchers have shown how these can be changed even while the car is running.

Given the system’s poor security, all this opens up some interesting possibilities for attackers. If the drive has paired their smartphone to the car using Bluetooth, for examples, an attacker could infect that phone with malware and control the car remotely — and some work has been done on this.

“Personally I’m waiting for ransomware for cars,” said one audience member, where the car is disabled until the attacker is paid the unlock fee.

In another presentation, French researcher Paul Rascagneres described how he penetrated the command and control infrastructure of the systems running APT1, the alleged state-sponsored Chinese hacking group.

Rascagneres monitored the group’s activities and fund that they were well organised, worked during office hours, and used custom-made malware. They had more than 300 servers, one per target, which connected via proxy servers to hide their true location.

Rascagneres says he confirmed with each site’s owners that the login details were genuine, or at least had been at some stage.

In yet other presentations, John Butterworth, a security researcher at The MITRE Corporation who specialises in low-level system security, demonstrated a technique by which malware inserted into a computer’s BIOS firmware could survive attempts to remove by re-flashing or upgrading the BIOS, and Dutch researcher Jeroen Domburg discussed how the firmware of a hard disc drive could be hacked so that data could be hidden between the “official” places to store data on the drive.

Domburg demonstrated how the drive could be hacked so that it worked perfectly normally except in certain specific circumstances — such as when accessing particular files or at certain times, when it could change the data being stored or return false data.

[Photo: Part of an equation from Silvio Cesare's presentation, "A Whirlwind Tour of Academic Techniques for Real-World Security Researchers" Available for re-use under a Creative Commons Attribution-NoDerivs license (CC BY-ND).]

]]>https://corruptednerds.com/blog/breakpoint-2013-day-2/feed/4Breakpoint Day 1: Smart TVs to the digital arms tradehttps://corruptednerds.com/blog/breakpoint-2013-day-1/
https://corruptednerds.com/blog/breakpoint-2013-day-1/#commentsThu, 24 Oct 2013 21:59:31 +0000http://corruptednerds.com/?p=340 Continue reading → ]]>From turning a Smart TV into a surveillance device to a discussion of the economics of the digital arms market, and many, many deep dives into hacks — that’s Breakpoint Day 1.

My personal highlight was a demonstration on how to hack a Smart TV from “an unnamed vendor” — a large non-Japanese company whose name stats with a consonant from the second of half the alphabet — by SeungJin Lee.

Lee’s presentation showed how appallingly insecure one model of this vendor’s Smart TVs were — all the applications ran as “root”, the administrative user, for example, which means that a malicious app could do pretty much whatever it likes — and how the camera and microphone-equipped devices could be turned into video surveillance machines.

“Do not put the Smart TV in the bedroom,” he said. Good advice.

Lee also showed how he could pop up a fake news headline graphic over the top of the genuine live video stream from a news channel. The possibilities for mischief are obvious.

Michael Sulmeyer, a senior fellow at the Center for Strategic and International Studies in Washington DC, discussed the economics of the digital arms market.

Traditional arms markets for weapons of national power and prestige are what he called a “monopsony”, with the government being the only buyer, and only a handful of vendors. Prices are high, and get higher as projects unfold due to vendor lock-in, the lack of competition and the long project cycles. Platforms are usually sold and goods, not services. After all, you don’t want the contractors to be running the ICBMs.

Digital arms are different, however, being fast and cheap to produce, and easy to replicate, and often there are questions about their legitimate civilian uses. As a result some academics are suggesting a move towards a agreements o control their use along the lines of the Wassenaar Arrangement.

My third choice for a highlight was an explanation of how you can effectively innoculate your organisation against phishing attacks, by Dan Tentler.

“How do you teach a person to duck a punch? You punch them in the face until they get it,” Tentler said.

If your people keep getting hit with viagra spam, you need to hit them with viagra spam too. Spearphish your people regularly, and if they fall for it you explain how they could have spotted the tricks. By the time they get hit with a real phishing campaign, hopefully they’ve got some “muscle memory” and won’t automatically click.

]]>https://corruptednerds.com/blog/breakpoint-2013-day-1/feed/1Breakpoint and Ruxcon coverage brought to you by…https://corruptednerds.com/blog/breakpoint-ruxcon-thank-you/
Wed, 23 Oct 2013 20:20:51 +0000http://corruptednerds.com/?p=328 Continue reading → ]]>Corrupted Nerds coverage of the Breakpoint and Ruxcon conferences is brought to you by 74 generous Pozible supporters. Thank you all very much.

Thanks to: Nokia Australia for the loan of a Nokia Lumia 1020 smartphone and Vodafone Australia for 4G connectivity and bandwidth.

]]>How will we cover Breakpoint and Ruxcon?https://corruptednerds.com/blog/breakpoint-ruxcon-coverage-planning/
https://corruptednerds.com/blog/breakpoint-ruxcon-coverage-planning/#commentsTue, 22 Oct 2013 19:56:42 +0000http://corruptednerds.com/?p=318 Continue reading → ]]>Thanks to a Pozible crowdfunding campaign that was successful so quickly that I didn’t even have time to promote it properly here, I’m covering the Breakpoint and Ruxcon hacker conferences in Melbourne starting tomorrow. As part of the deal, supporters will help decide how that happens.

If you’re one of my supporters, please read this post and answer the highlighted questions, and make any other comments you want to make. Or not. You are also free to trust my judgement — and I’ll be explaining my decisions as I go along.

If you’re not, well, this is an explanation of what you can expect. You can make suggestions too, but I will weigh them less in my considerations.

The funding model is detailed below, but the short version is that we’ve got roughly $2000 in the production pool, and that can be allocated to, say, four podcasts at $500 each, or four 1000-word articles at $500 each, or eight 500-word articles, or a mix thereof.

Question 1: Do you prefer written stories or podcasts?

There has to be at least one podcast, because AVG Technologies AU has to get the one-podcast sponsorship they’ve paid for. And I like making podcasts.

I’ll try to get into as many of the conference sessions as I can. Here are the programs for Breakpoint and Ruxcon. I can tweet and Instagram those as we go along, summarising the key points, but the more attention I pay to providing live coverage, the less attention I can pay to keeping good notes — which means more lag time before any written stories appear.

Now I happen to think that rushing out daily news cycle stories is not the best use of my time. I know that I write much better material when I have time to absorb it, reflect, make connections and write. But you may not prefer to wait. It’s up to you.

Question 2: What is your preferred balance in terms of live coverage versus quick stories on the day versus more reflective stories the following week?

If I think about it a bit more, I can weave material from a series of presentations into a narrative, such as Black hats and whitegoods from AusCERT 2011.

Or maybe you can’t tell the difference. So here’s a list of all my recent written pieces. Tell me if anything triggers you wanting to say “More like that one please!”

Question 4: Are there any must-haves?

Does anything in the program stand out for you? Are there any themes that you’d be interested in exploring?

Is there anything I’ve forgotten to ask?

Stream 1 Commitments

Stream 1 will be stories that I’ve pitched to my editors in the usual way, or that they’ve commissioned. They get to decide what the stories are about, they’ll pay their usual rates, and they’ll get to use the stories in the usual way.

I’m definitely writing a 1000-word piece for CSO Online on Monday 28 October. I will be pitching stories to other outlets as the conferences unfold. If I have time.

Stream 2 Funding Model

Stream 2 is the stories you’ve funded. For every $500 raised beyond the initial $1800 target, and we’ve got around $2000 for that, I’ll produce one “media object” — either a 30-minute podcast, or a written article of 1000+ words. I’ll work with you, the supporters, to decide what they’ll be about, through some sort of consensus process that we’ll figure out later.

(There’s bound to be a sub-$500 fraction left over at the end too, and perhaps savings from the $1800 target, so that’ll be turned into stories pro-rata. I’ll also split 1000-word blocks into two 500-word blocks if that’s what you’d prefer.)

All Stream 2 items will be published here at Corrupted Nerds website, and made available under a Creative Commons Attribution-NoDerivs license (CC BY-ND). That means anyone will be able to republish them free of charge — provided they run them unmodified and give credit.

The Conversation works much like this. Think of it as a news wire service that doesn’t charge — but at the same time doesn’t give exclusivity.

In mid-November, I will create an ebook containing all of the final media items produced — the blog posts plus the Stream 1 and Stream 2 items — as a reward for supporters and for subsequent sale.

I will also create a bonus ebook containing extra material such as photos, out-takes and various production documents — as a reward for the extra special supporters. Each one will include in individual, personal dedication.

]]>https://corruptednerds.com/blog/breakpoint-ruxcon-coverage-planning/feed/14Conversations 6: Joy of DDoS with Akamai’s Michael Smithhttps://corruptednerds.com/pod/c00006/
https://corruptednerds.com/pod/c00006/#commentsSun, 13 Oct 2013 08:15:47 +0000http://corruptednerds.com/?p=306 Continue reading → ]]>Distributed denial of service (DDoS) attacks are cheap and easy to do. It’s just a matter of overwhelming the target site with a flood of internet traffic. According to Michael Smith, head of Akamai Technologies’ computer security incident response team (CSIRT), such attacks will only get worse as we roll out faster broadband infrastructure.

“That increases the amount of bandwidth available to the home, but that also increases that amount of bandwidth that a bunch of computers at the home can throw at a target site,” Smith says on on today’s episode of Corrupted Nerds: Conversations.

Attackers are getting smarter, too. Rather than attacking the infrastructure that supports a website, they’re attacking at the application layer — sending what appear to be valid website requests, but which result in a heavy load of database requests or processor time.

“The more secure that your site is, ’cos you’re checking for all these things for confidentiality and integrity, the harder it is to actually defend that site against an application DDoS attack,” Smith said.

This interview was recorded on 4 September 2013 via Skype to Sydney, Australia.

Episode Notes

Patch Monday podcast from 2 October 2012, DDoS attacks: 150Gb per second and rising, with Alex Caro, Akamai Technologies’ chief technology officer and vice-president of services for Asia Pacific and Japan, and Tal Be’ery, web security research team leader at Imperva.

Wikipedia entry on SQL injection, an attack that attempts to insert malicious SQL database commands into a web application.

]]>https://corruptednerds.com/pod/c00006/feed/3Conversations 6: The joy of DDoS with Akamai's Michael SmithDistributed denial of service (DDoS) attacks are cheap and easy to do. It's just a matter of overwhelming the target site with a flood of internet traffic. According to Michael Smith, head of Akamai Technologies' computer security incident response team (CSIRT), such attacks will only get worse as we roll out faster broadband infrastructure.<br />
<br />
"That increases the amount of bandwidth available to the home, but that also increases that amount of bandwidth that a bunch of computers at the home can throw at a target site," Smith says on on today's episode of Corrupted Nerds: Conversations.<br />
<br />
Attackers are getting smarter, too. Rather than attacking the infrastructure that supports a website, they're attacking at the application layer -- sending what appear to be valid website requests, but which result in a heavy load of database requests or processor time.<br />
<br />
"The more secure that your site is, ’cos you're checking for all these things for confidentiality and integrity, the harder it is to actually defend that site against an application DDoS attack," Smith said.<br />
<br />
This interview was recorded on 4 September 2013 via Skype to Sydney, Australia.StilgherriancleanConversations 5: Vulnerability scanning to the rescuehttps://corruptednerds.com/pod/c00005/
https://corruptednerds.com/pod/c00005/#commentsSun, 29 Sep 2013 06:30:50 +0000http://corruptednerds.com/?p=291 Continue reading → ]]>“Networks are living and breathing things. They don’t sit still. Your vulnerabilities will change on a daily basis, for sure, and you need to be on top of that,” says Dick Bussiere, principal architect for Tenable Network Security in the Asia Pacific region.

That’s why Tenable is advocating what they see as a revolution in maintaining a data network’s security posture.

“We’re kind of advocating that people perform vulnerability assessment, and remediation of vulnerabilities, as a constant and continuous process, rather than something that you do on a periodic basis,” Bussiere says.

By a happy coincidence, that matches the processes of continuous vulnerability measurement and measured risk reduction that are now mandated for US government networks — creating a ready market for Tenable, and a salutary model for others to follow.

I haven’t linked to any material about the revelations of Edward Snowden because the story is moving so quickly. You’d be better off consulting your favourite daily news outlet.

]]>https://corruptednerds.com/pod/c00005/feed/2Conversations 5: Vulnerability scanning to the rescue"Networks are living and breathing things. They don't sit still. Your vulnerabilities will change on a daily basis, for sure, and you need to be on top of that," says Dick Bussiere, principal architect for Tenable Network Security in the Asia Pacific region.<br />
<br />
That's why Tenable is advocating what they see as a revolution in maintaining a data network's security posture.<br />
<br />
"We're kind of advocating that people perform vulnerability assessment, and remediation of vulnerabilities, as a constant and continuous process, rather than something that you do on a periodic basis," Bussiere says.<br />
<br />
By a happy coincidence, that matched the processes of continuous vulnerability measurement and measured risk reduction that are now mandated for US government networks -- creating a ready market for Tenable, and a salutary model for others to follow.<br />
<br />
This interview was recorded on 3 September 2013 in Sydney, Australia.Stilgherrianclean30:00Conversations 4: Will the cloud run out of steam?https://corruptednerds.com/pod/c00004/
https://corruptednerds.com/pod/c00004/#commentsTue, 13 Aug 2013 08:30:44 +0000http://corruptednerds.com/?p=279 Continue reading → ]]>As we move more and more information services into the cloud, we could run into an energy roadblock — not in the data centres themselves, which are becoming increasingly energy-efficient, but in the wireless devices we use for connectivity.

“The energy-efficiency of telecommunications and ICT gets worse the closer you get to the household. The big power-consumption component resides in how you get into the cloud, that is, wireless access,” says Dr Kerry Hinton, a research fellow at the Centre for Energy-Efficient Telecommunications (CEET) in Melbourne.

We’re talking about millions of customers, and hundreds of thousands of wireless base stations — and in the Third World, many base stations aren’t powered by the electricity grid, because it’s too unreliable, but by diesel generators running 24/7.

“It is an open question as to how we can sustain ongoing exponential growth of internet and information services,” says Hinton on today’s episode of Corrupted Nerds: Conversations.

“The internet consumes about one or two percent of the world’s electricity generation, definitely climbing, and if we don’t produce improvements in energy efficiency for ICT equipment, we’ll be heading up towards about ten percent by about 2025. That’s a big jump, and it really means that the challenge is on to make sure that ICT doesn’t become an energy monster and produces roadblocks to using ICT to improve society.”

Episode Notes

Greenpeace International’s report How Clean is Your Cloud?, April 2012. In a breathtaking irony, Greenpeace has hosted the report at Issuu — that is, in the dirty cloud — and you can only download it for more energy-efficient offline reading by signing up with this third party.

GreenTouch, “a consortium of leading ICT industry, academic and non-governmental research experts dedicated to fundamentally transforming communications and data networks, including the Internet, and significantly reducing the carbon footprint of ICT devices, platforms and networks.” Their goal is to increase network energy efficiency by a factor of 1000 by 2015, compared to 2010 levels.

Moore’s Law, which noted that the number of transistors on integrated circuits doubles approximately every two years.

[Update 6 October 2013: I’ve temporarily turned off comments on this post because it’s being hit hard by Japanese spambots.]

]]>https://corruptednerds.com/pod/c00004/feed/2Conversations 4: Dr Kerry Hinton wonders if the cloud will run out of steam?As we move more and more information services into the cloud, we could run into an energy roadblock -- not in the data centres themselves, which are becoming increasingly energy-efficient, but in the wireless devices we use for connectivity.<br />
<br />
"The energy-efficiency of telecommunications and ICT gets worse the closer you get to the household. The big power-consumption component resides in how you get into the cloud, that is, wireless access," says Dr Kerry Hinton, a research fellow at the Centre for Energy-Efficient Telecommunications (CEET) in Melbourne.<br />
<br />
We're talking about millions of customers, and hundreds of thousands of wireless base stations -- and in the Third World, many base stations aren't powered by the electricity grid, because it's too unreliable, but by diesel generators running 24/7.<br />
<br />
"It is an open question as to how we can sustain ongoing exponential growth of internet and information services," says Hinton on today's episode of Corrupted Nerds: Conversations.<br />
<br />
"The internet consumes about one or two percent of the world's electricity generation, definitely climbing, and if we don't produce improvements in energy efficiency for ICT equipment, we'll be heading up towards about ten percent by about 2025. That's a big jump, and it really means that the challenge is on to make sure that ICT doesn't become an energy monster and produces roadblocks to using ICT to improve society."<br />
<br />
This interview was recorded on 9 April 2013 in Sydney, Australia.Stilgherrianclean27:19